How would I map this display filter to a capture filter?

Hi guys - I've got the following script that I've made fairly generic so we can capture all traffic on a subnet (or series of them)

SETLOCAL EnableDelayedExpansion
set TSHARK="C:\Program Files (x86)\Wireshark\tshark"
set LOCATION=C:\temp\wireshark\
set NAME=bc4.pcapng
set net1=net 10.198.1
set net2=net 10.198.4
set net3=net 10.198.2
set net4=net 10.198.64
set net5=net 10.198.63
set ip_list=10.198.1.200
rem set socket_range=tcp port 2096 and tcp portrange 20000-20399
set "FILTER=(%net1% or %net2% or %net3% or %net4% or %net5%) and not udp portrange 2530-2500 and not port 5900"
for %%i in (%ip_list%) do set "FILTER=!FILTER! and ip src not %%i and ip dst not %%i"
if not exist %LOCATION% mkdir %LOCATION%
%TSHARK% -i 5 -b filesize:50000 -b files:2000 -f "%FILTER%" -w %LOCATION%%NAME%

I'd like to see if I can add a particular display filter, which is: sttp.offset == 0 - I don't think it's possible, but it will always be from UDP 2550, and it will be the first one in the stream (I just want to verify it's there) as the STTP traffic will make up about 80-90% of all the traffic in this instance.

1 Answer

OK, standard Wireshark has no dissector for a protocol named "STTP", so I don't know what protocol that is, and I had to ask The Great Gazoogle what it might be, because the mechanisms that implement capture filters (a mechanism in libpcap and various OS kernels, where the filter is compiled into a pseudo-machine program and interpretively executed or translated to machine code and executed) and display filters (implemented in Wireshark as something that uses the result of Wireshark's dissection of packets) are completely different, and there is no general mechanism for turning a display filter into a capture filter (and some display filters simply cannot be turned into display filters, as the BPF pseudo-machine does not support looping and thus cannot handle any protocol whose dissection requires a loop).

So we'll need to have a specification for this protocol.

If STTP is the Secure Token Transfer Protocol, then that's a text protocol carried on top of HTTP. Capture filters can't easily parse HTTP text (if they can do so at all), so that won't be possible.

If STTP is the Streaming Telemetry Transport Protocol, it's not obvious from a quick look at the spec which field would be the "offset" field, so I can't yet tell you whether it's even possible to filter on it at capture time, much less how a filter could be implemented if it is possible*.

You may simply have to use udp port 2550, which will capture all STTP traffic; "the first one in the stream" cannot be implemented in a capture filter, as capture filters are stateless - the first STTP packet can't set a flag that will be checked for all subsequent STTP packets.

Comments

Thanks very much for the response Guy - it's our own protocol for media transfer between our hardware and software applications - would I be able to do something piping the capture filter into a display filter in a different tshark session?